Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Project Development
Merits 5 from 3 users
Topic OP
LastPass 1Password Security Crypto Challenge + Bounty
by
GeekWisdom
on 26/01/2022, 03:08:16 UTC
⭐ Merited by xandry (3) ,dkbit98 (1) ,ETFbitcoin (1)


The other day I tweeted a security tip to remind folks not to use real answers to password reset security questions, and suggested they can store their answers in a tool like LastPass. No sooner did I tweet this then I got this response



I had never heard of this #LastPassHack so when I looked up to it - it send me to a hacker news article from Dec 26, 2021, apparently talking about the apparent compromise of users master passwords.

Except - This should be impossible - since LastPass should not be storing in anyway the users Master Password, so this brought into question a service I have been using and storing data in for many years... could they be lying to me?  should i switch to another service like 1password?

To help answer this question, I decided to setup a little crypto bounty.  If you know how to discover the master passwords of a LastPass or 1password account. I invite you to prove this yourself (anonymously)

I setup 2 accounts, one for LastPass and one for 1password. Inside each of them, I stored the backup phrase for 2 wallets. The 1password one is bitcoin, and the LastPass one is Ethereum.

Bitcoin Bounty Balance: https://bitcoinexplorer.org/address/1PKF8K1e1BFsBpkjXEWVoGgCdWuqqCKc5C ( 0.00107999 BTC at the time of deposit)

Ethereum Bounty Balance: https://www.etherchain.org/account/29cea040fAC4839DAc550558d1A88Afe27bb1466 (0.01702 ETH at the time of deposit).

All you have to do is discover the passwords used for either, access the crypto, and then do a withdrawal of the wallet to win the bounty and prove that one or more of these services are indeed leaking master passwords somehow.

The email addresses used for these vaults are:



The password length is the same for both accounts, and both use the same number of numbers and special characters.

Disclaimer - This is not an invite to hack either of these services, but if you do know how to exploit some type of security flaw this is your opportunity to 'put your money where your mouth is'

If you agree with and want to join in, feel free to make additional deposits to the bounty using these QR Codes

[img]https://i.imgur.com/LcXv7aW.png[/png]

Warning: Money deposited here will not be refunded!